Renewing a RACF certificate

This should be two stage process for safety sake but could be completed in one job.

Create and implement new certificate

//*
//* +--------------------------------------------------------------+
//* | NEWCERT1: Rekey certificate and rollover |
//* +--------------------------------------------------------------+
//*
//NEWCERT1 EXEC PGM=IKJEFT01
//SYSTSPRT DD SYSOUT=*
//SYSTERM DD DUMMY
//SYSTSIN DD *
PROF MSGID WTPMSG
/* */
RACDCERT ID(TCPSTC) -
REKEY( -
LABEL('TN3270 SERVER SELF SIGNED CERT')) -
NOTBEFORE(DATE(2008-01-01)) -
NOTAFTER(DATE(2011-12-31)) -
WITHLABEL('TN3270 SERVER CERT 2008')
/* */
RACDCERT ID(TCPSTC) -
ROLLOVER( -
LABEL('TN3270 SERVER SELF SIGNED CERT')) -
NEWLABEL('TN3270 SERVER CERT 2008')
/* */
SETR RACLIST(FACILITY) REFRESH
SETR RACLIST(DIGTCERT) REFRESH
/*
//

To renew the certificate a few changes have to be made

The LABEL value must be the same as the current label. This is case sensitive.
The WITHLABEL value must be a new value. This is case sensitive.
The NOTBEFORE date can be no later than today.

To rollover the certificate i.e. activate it

The LABEL value must be the same as the current label. This is case sensitive.
The NEWLABEL must be the value set in the WITHLABEL parameter in the REKEY command. This is case sensitive.

To ensure that TCP/IP picks up the new certificates the secure port must be restarted.
Issue the following commands
V TCPIP,,TELNET,STOP,PORT=S
(This stops port 23)

V TCPIP,,OBEYFILE,SYS1xx.TCPPARMS(TELNET)
(This starts port 23)

Issue these commands on one LPAR in the sysplex at a time and test you can still access the system before going to the other LPAR.

Delete old certificate

//*
//* +--------------------------------------------------------------+
//* | NEWCERT2: Delete old certificate |
//* +--------------------------------------------------------------+
//*
//NEWCERT2 EXEC PGM=IKJEFT01
//SYSTSPRT DD SYSOUT=*
//SYSTERM DD DUMMY
//SYSTSIN DD *
PROF MSGID WTPMSG
/* */
RACDCERT DELETE (LABEL('TN3270 SERVER SELF SIGNED CERT')) ID(TCPSTC)
/* */
SETR RACLIST(FACILITY) REFRESH
SETR RACLIST(DIGTCERT) REFRESH
/*
//
The LABEL value must be changed to be the value of the old certificate.

ONLY RUN THIS JOB IF THE FIRST JOB COMPLETES SUCCESSFULLY.
DO NOT RELY ON THE RETURN CODE FROM THE JOB – CHECK THE OUTPUT!

0 comments on Renewing a RACF certificate

MyMusic